We’ve assembled a panel of experts, including some of the major speakers at The Open Group Conference, to provide an update on the achievements at OTTF, and to learn more about how technology suppliers and buyers can expect to benefit. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Gardner: We're also joined by Andras Szakal, Vice President and Chief Technology Officer at IBM's U.S. Federal Group, and also the Chair of the OTTF. He also leads the development of The Open Trusted Technology Provider Standard. Welcome back, Andras.

Gardner: Dave Lounsbury, first to you. OTTF was created about 18 months ago, but I suspect that the urgency for these types of supply chain trust measures has only grown. We’ve seen some congressional testimony and we’ve seen some developments in the market that make this a bit more pressing.

Why this is an important issue, and why is there a sense of urgency in the markets?

Boundaryless information

Lounsbury: You framed it very nicely at the beginning, Dana. The Open Group has a vision of boundaryless information flow, and that necessarily involves interoperability. But interoperability doesn't have the effect that you want, unless you can also trust the information that you're getting, as it flows through the system.

Therefore, it’s necessary that you be able to trust all of the links in the chain that you use to deliver your information. One thing that everybody who watches the news would acknowledge is that the threat landscape has changed. As systems become more and more interoperable, we get more and more attacks on the system.

As the value that flows through the system increases, there’s a lot more interest in cyber crime. Unfortunately, in our world, there's now the issue of state-sponsored incursions in cyberspace, whether officially state-sponsored or not, but politically motivated ones certainly.

So there is an increasing awareness on the part of government and industry that we must protect the supply chain, both through increasing technical security measures, which are handled in lots of places, and in making sure that the vendors and consumers of components in the supply chain are using proper methodologies to make sure that there are no vulnerabilities in their components.

I'm sure that Andras, Edna, and Dan will give us a lot more detail on what those vulnerabilities are, but from an Open Group perspective, I'll note that the demand we're hearing is increasingly for work on standards in security, whether it's the technical security aspects or these global supply-chain aspects. That’s top of everybody's mind these days.

Gardner: Let’s go through our panel and try to get a bit more detail about what it is that we are trying to solve or prevent. Dan Reddy, what do you view as some of the critical issues that need to be addressed, and why the OTTF has been created in the first place?

Reddy: One of the things that we're addressing, Dana, is the supply chain item that was part of the Comprehensive National Cybersecurity Initiative (CNCI), which spans the work of two presidents. Initiative 11 was to develop a multi-pronged approach to global supply chain risk management. That really started the conversation, especially in the federal government as to how private industry and government should work together to address the risks there.

In the OTTF, we've tried create a clear measurable way to address supply-chain risk. It’s been really hard to even talk about supply chain risk, because you have to start with getting a common agreement about what the supply chain is, and then talk about how to deal with risk by following best practices.

Gardner: Andras, the same question. It seems like a vexing issue. How can one possibly develop the ability to verify deep into the supply chains, in many cases coming across international boundaries, and then bring into some play a standard to allow this to continue with a sense of security and trust? It sounds pretty daunting.

Szakal: In many ways, it is. One of the observations that I've made over the last couple of years is that this group of individuals, who are now part of this standards forum, have grown in their ability to collaborate, define, and rise to the challenges, and work together to solve the problem.

Standards process

Technology supply chain security and integrity are not necessarily a set of requirements or an initiative that has been taken on by the standards committee or standards groups up to this point. The people who are participating in this aren't your traditional IT standards gurus. They had to learn the standards process. They had to understand how to approach the standardization of best practices, which is how we approach solving this problem.

It’s sharing information. It’s opening up across the industry to share best practices on how to secure the supply chain and how to ensure its overall integrity. Our goal has been to develop a framework of best practices and then ultimately take those codified best practices and instantiate them into a standard, which we can then assess providers against. It’s a big effort, but I think we’re making tremendous progress.

Gardner: Because The Open Group Conference is taking place in Washington, D.C., what’s the current perception in the U.S. Government about this in terms of its role? Is this a "stand by and watch?" Is this "get involved?" Is there the thought of adding some teeth to this at some point that the government can display in terms of effective roles?

Szakal: Well, the whole forum arose out of the work that Dan just discussed with the CNCI. The government has always taken a prominent role, at least to help focus the attention of the industry.

The government has always taken a prominent role, at least to help focus the attention of the industry.

Now that they’ve corralled the industry and they’ve got us moving in the right direction, in many ways, we’ve fought through many of the intricate complex technology supply chain issues and we’re ahead of some of the thinking of folks outside of this group because the industry lives these challenges and understands the state of the art. Some of the best minds in the industry are focused on this, and we’ve applied some significant internal resources across our membership to work on this challenge.

It’s very much a collaborative effort, and I'm hoping that it can continue to be so and be utilized as a standard that the government can point to, instead of coming up with their own policies and practices that may actually not work as well as those defined by the industry.

Gardner: Edna Conway, have we missed anything in terms of being well-versed in understanding the challenge here?

Conway: The challenge is moving a little bit, and our colleagues on the public side of the public-private partnership addressing supply-chain integrity have recognized that we need to do it together.

More importantly, you need only to listen to a statement, which I know has often been quoted, but it’s worth noting again from EU Commissioner Algirdas Semeta. He recently said that in a globalized world, no country can secure the supply chain in isolation. He recognized that, again quoting, national supply chains are ineffective and too costly unless they’re supported by enhanced international cooperation.

Mindful focus

The one thing that we bring to bear here is a mindful focus on the fact that we need a public-private partnership to address comprehensively in our information and communications technology industry supply chain integrity internationally. That has been very important in our focus. We want to be a one-stop shop of best practices that the world can look at, so that we continue to benefit from commercial technology which sells globally and frequently builds once or on a limited basis.

Combining that international focus and the public-private partnership is something that's really coming home to roost in everyone’s minds right now, as we see security value migrating away from an end point and looking comprehensively at the product lifecycle or the global supply chain.

Gardner: We obviously have an important activity. We have now more collaboration among and between public and private sectors as well as the wider inclusion of more countries and more regions.

Dave Lounsbury, perhaps you could bring us up to speed on where we are in terms of this as a standard. Eighteen months isn’t necessarily a long time in the standards business, but there is, as we said, some emergency here. Perhaps you could set us up in understanding where we are in the progression and then we’ll look at some of the ways in which these issues are being addressed.

Lounsbury: I’d be glad to, Dana, but before I do that, I want to amplify on the point that Edna and Andras made. I had the honor of testifying before the House Energy and Commerce Committee on Oversight Investigations, on the view from within the U.S. Government on IT security.

It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing.

It was very gratifying to see that the government does recognize this problem. We had witnesses in from the DoD and Department of Energy (DoE). I was there, because I was one of the two voices on industry that the government wants to tap into to get the industry’s best practices into the government.

It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing. How do you validate a long and complex global supply chain in the face of a very wide threat environment, recognizing that it can’t be any single country? Also, it really does need to be not a process that you apply to a point, but something where you have a standard that raises the bar for our security for all the participants in your supply chain.

So it was really good to know that we were on track and that the government, and certainly the U.S. Government, as we’ve heard from Edna, the European governments, and I suspect all world governments are looking at exactly how to tap into this industry activity.

Now to answer your question directly -- in the last 18 months, there has been a tremendous amount of progress. The thing that I'll highlight is that early in 2012, the OTTF published a snapshot of the standard. A snapshot is what The Open Group uses to give a preview of what we expect the standards will apply. It has fleshed out two areas, one on tainted products and one on counterfeit products, the standards and best practices needed to secure a supply chain against those two vulnerabilities.

So that’s out there. People can take a look at that document. Of course, we would welcome their feedback on it. We think other people have good answers too. Also, if they want to start using that as guidance for how they should shape their own practices, then that would be available to them.

Normative guidance

Of course, with Andras as the Chair, Edna as the Vice-Chair, and Dan as a key contributor, I'm probably the least qualified one on the call to talk about the current state, but what they've been focusing on is how you would go from having the normative guidance of the standard to having some sort of a process by which a vendor could indicate their conformance to those best practices and standards.

That’s the top development topic inside the OTTF itself. Of course, in parallel with that, we're continuing to engage in an outreach process and talking to government agencies that have a stake in securing the supply chain, whether it's part of government policy or other forms of steering the government to making sure they are making the right decisions. In terms of exactly where we are, I'll defer to Edna and Andras on the top priority in the group.

Gardner: Let’s do that. Edna, can you perhaps fill us in on what the prioritization, some of the activities, a recap if you will of what’s been going on at OTTF and where things stand?

Conway: We decided that this was, in fact, a comprehensive effort that was going to grow over time and change as the challenges change. We began by looking at two primary areas, which were counterfeit and taint in that communications technology arena. In doing so, we first identified a set of best practices, which you referenced briefly inside of that snapshot.

Where we are today is adding the diligence, and extracting the knowledge and experience from the broad spectrum of participants in the OTTF to establish a set of rigorous conformance criteria that allow a balance between flexibility and how one goes about showing compliance to those best practices, while also assuring the end customer that there is rigor sufficient to ensure that certain requirements are met meticulously, but most importantly comprehensively.

We have a practice right now where we're going through each and every requirement or best practice and thinking through the broad spectrum of the development stage of the lifecycle, as well as the end-to-end nodes of the supply chain itself.

This is to ensure that there are requirements that would establish conformance that could be pointed to, by both those who would seek accreditation to this international standard, as well as those who would rely on that accreditation as the imprimatur of some higher degree of trustworthiness in the products and solutions that are being afforded to them, when they select an OTTF accredited provider.

Gardner: Andras, when we think about the private sector having developed a means for doing this on its own, that now needs to be brought into a standard and towards an accreditation process. I'm curious where in an organization like IBM, that these issues are most enforceable.

Is this an act of the procurement group? Is it the act of the engineering and the specifying? Is it a separate office, like Dan is, with the product security office? I know this is a big subject. I don’t want to go down too deeply, but I'm curious as to where within the private sector the knowledge and the expertise for these sorts of things seem to reside?

Szakal: That’s a great question, and the answer is both. Speaking for IBM, we recently celebrated our 100th anniversary in 2011. We’ve had a little more time than some folks to come up with a robust engineering and development process, which harkens back to the IBM 701 and the beginning of the modern computing era.

Integrated process

We have what we call the integrated product development process (IPD), which all products follow and that includes hardware and software. And we have a very robust quality assurance team, the QSE team, which ensures that the folks are following those practices that are called out. Within each of line of business there exist specific requirements that apply more directly to the architecture of a particular product offering.

For example, the hardware group obviously has additional standards that they have to follow during the course of development that is specific to hardware development and the associated supply chain, and that is true with the software team as well.

The product development teams are integrated with the supply chain folks, and we have what we call the Secure Engineering Framework, of which I was an author and the Secure Engineering Initiative which we have continued to evolve for quite some time now, to ensure that we are effectively engineering and sourcing components and that we're following these Open Trusted Technology Provider Standard (O-TTPS) best practices.

In fact, the work that we've done here in the OTTF has helped to ensure that we're focused in all of the same areas that Edna’s team is with Cisco, because we’ve shared our best practices across all of the members here in the OTTF, and it gives us a great view into what others are doing, and helps us ensure that we're following the most effective industry best practices.

Gardner: It makes sense, certainly, if you want to have a secure data center, you need to have the various suppliers that contribute to the creation of that data center operating under some similar processes.

We want to be able to encourage suppliers, which may be small suppliers, to conform to a standard, as we go and select who will be our authorized suppliers.

Dan Reddy at EMC, is the Product Security Office something similar to what Andras explained for how IBM operates? Perhaps you could just give us a sense of how it’s done there in terms of who is responsible for this, and then how those processes might migrate out to the standard?

Reddy: At EMC in our Product Security Office, we house the enabling expertise to define how to build their products securely. We're interested in building that in as soon as possible throughout the entire lifecycle. We work with all of our product teams to measure where they are, to help them define their path forward, as they look at each of the releases of their other products. And we’ve done a lot of work in sharing our practices within the industry.

One of the things this standard does for us, especially in the area of dealing with the supply chain, is it gives us a way to communicate what our practices are with our customers. Customers are looking for that kind of assurance and rather than having a one-by-one conversation with customers about what our practices are for a particular organization. This would allow us to have a way of demonstrating the measurement and the conformance against a standard to our own customers.

Also, as we flip it around and take a look at our own suppliers, we want to be able to encourage suppliers, which may be small suppliers, to conform to a standard, as we go and select who will be our authorized suppliers.

Gardner: Dave Lounsbury at The Open Group, it seems that those smaller suppliers that want to continue to develop and sell goods to such organizations as EMC, IBM, and Cisco would be wise to be aware of this standard and begin to take steps, so that they can be in compliance ahead of time or even seek accreditation means.

What would you suggest for those various suppliers around the globe to begin the process, so that when the time comes, they're in an advantageous position to continue to be vigorous participants in these commerce networks?Publications catalog

Lounsbury: Obviously, the thing I would recommend right off is to go to The Open Group website, go to the publications catalog, and download the snapshot of the OTTF standard. That gives a good overview of the two areas of best practices for protection from tainted and counterfeit products we’ve mentioned on the call here.

That’s the starting point, but of course, the reason it’s very important for the commercial world to lead this is that commercial vendors face the commercial market pressures and have to respond to threats quickly. So the other part of this is how to stay involved and how to stay up to date?

And of course the two ways that The Open Group offers to let people do that is that you can come to our quarterly conferences, where we do regular presentations on this topic. In fact, the Washington meeting is themed on the supply chain security.

Of course, the best way to do it is to actually be in the room as these standards are evolved to meet the current and the changing threat environment. So, joining The Open Group and joining the OTTF is absolutely the best way to be on the cutting edge of what's happening, and to take advantage of the great information you get from the companies represented on this call, who have invested years-and-years, as Andras said, in making their own best practices and learning from them.

Gardner: Edna Conway, we’ve mentioned a couple of the early pillars of this effort -- taint and counterfeit. Do we have a sense of what might be the next areas that would be targeted. I don’t mean for you all to set in stone your agenda, but I'm curious as to what's possible next areas would be on the short list of priorities?

It's from that kind of information sharing, as we think in a more comprehensive way, that we begin to gather the expertise.

Conway: You’ve heard us talk about CNCI, and the fact that cybersecurity is on everyone’s minds today. So while taint embodies that to some degree, we probably need to think about partnering in a more comprehensive way under the resiliency and risk umbrella that you heard Dan talk about and really think about embedding security into a resilient supply chain or a resilient enterprise approach.

In fact, to give that some forethought, we actually have invited at the upcoming conference, a colleague who I've worked with for a number of years who is a leading expert in enterprise resiliency and supply chain resiliency to join us and share his thoughts.

He is a professor at MIT, and his name is Yossi Sheffi. Dr. Sheffi will be with us. It's from that kind of information sharing, as we think in a more comprehensive way, that we begin to gather the expertise that not only resides today globally in different pockets, whether it be academia, government, or private enterprise, but also to think about what the next generation is going to look like.

Resiliency, as it was known five years ago, is nothing like supply chain resiliency today, and where we want to take it into the future. You need only look at the US national strategy for global supply chain security to understand that. When it was announced in January of this year at Davos by Secretary Napolitano of the DHS, she made it quite clear that we're now putting security at the forefront, and resiliency is a part of that security endeavor.

So that mindset is a change, given the reliance ubiquitously on communications, for everything, everywhere, at all times -- not only critical infrastructure, but private enterprise, as well as all of us on a daily basis today. Our communications infrastructure is essential to us.

Thinking about resiliency

Given that security has taken top ranking, we’re probably at the beginning of this stage of thinking about resiliency. It's not just about continuity of supply, not just about prevention from the kinds of cyber incidents that we’re worried about, but also to be cognizant of those nation-state concerns or personal concerns that would arise from those parties who are engaging in malicious activity, either for political, religious or reasons.

Or, as you know, some of them are just interested in seeing whether or not they can challenge the system, and that causes loss of productivity and a loss of time. In some cases, there are devastating negative impacts to infrastructure.

Gardner: Andras at IBM, any thoughts on where the next priorities are? We heard resiliency and security. Any other inputs from your perspective?

Szakal: I am highly focused right now on trying to establish an effective and credible accreditation program, and working to test the program with the vendors.

From an IBM perspective, we're certainly going to try to be part of the initial testing of the program. When we get some good quality data with respect to challenges or areas that the OTTF thinks need refinement, then the members will make some updates to the standard.

We'll then be able to take that level of confidence and assurance that we get from knowing that and translate it to the people who are acquiring our technology as well.

There's another area too that I am highly focused on, but have kind of set aside, and that's the continued development and formalization of the framework itself that is to continue the collective best practices from the industry and provide some sort of methods by which vendors can submit and externalize those best practices. So those are a couple of areas that I think that would keep me busy for the next 12 months easily.

Gardner: Before we wrap up, I want to try to develop some practical examples of where and how this is being used successfully, and I’d like to start with you, Dan. Do you have any sense of where, in a supply chain environment, the focus on trust and verification has come to play and has been successful?

I don’t know if you can mention names, but at least give our listeners and readers a sense of how this might work by an example of what’s already taken place?

Reddy: I'm going to build on what I said a little bit earlier in terms of working with our own suppliers. What we're envisioning here is an ecosystem, where as any provider of technology goes and sources the components that go into our products, we can turn around and have an expectation that those suppliers will have gone through this process. We'll then be able to take that level of confidence and assurance that we get from knowing that and translate it to the people who are acquiring our technology as well.

As Andras is saying, this is going to take a while to roll out and get everyone to take advantage of this, but ultimately, our success is going to be measured by if we have a fully functioning ecosystem, where this is the way that we measure conformance against the standard, whether you are a large or a small company.Further along

We think that this initiative is further along than most anything else in the landscape today. When people take a look at it, they'll realize that all of the public and private members that have created this have done it through a very rigorous conformance and consensus process. We spend a lot of time weighing and debating every single practice that goes into the standard and how it’s expressed.

You may be able to read 50 pages quickly, but there is a lot behind it. As people figure out how those practices match up with their own practices and get measured against them, they're going to see a lot of the value.

Conway: It’s being used in a number of companies that are part of OTTF in a variety of ways. You’ve heard Dan talk about what we would expect of our suppliers, and obviously, for me, the supply chain is near and dear to my heart, as I develop that strategy. But, what I think you will see is a set of practices that companies are already embracing.

For example, at Cisco, we think about establishing trustworthy networks. Dan’s company may have a slightly different view given the depth and breadth of the portfolio of what EMC delivers to its many customers with integrity. Embedding this kind of supply chain security as a foundational element of what you're delivering to the customer requires that you actually have a go-to-market strategy that allows you to address integrity and security within it.

Then to flip back to what Dan said, you need areas of discipline, where there are best practices with regard to things like logistics security and electronic fabrication practices, obviously, looking uniquely in our industry which is what the OTTF is focusing on.

You need areas of discipline, where there are best practices with regard to things like logistics security and electronic fabrication practices.

If you look deeply, you'll find that there is a way to take a best practice and actually follow it. I just came from Florida, where I was stuck in a tropical storm so I have those storm "spaghetti models" that the media show on the television to predict the path of storm action. If you looked at O-TTPS as a spaghetti model, so to speak, you would have the hub being the actual best practice, but there are already pockets of best practices being used.

You heard Andras talk about the fact that IBM has a robust methodology with regard to secure engineering. You heard Dan mention it as well. We too at Cisco have a secure development lifecycle with practices that need to be engaged in. So it’s embracing the whole, and then bringing it down into the various nodes of the supply chain and practices.

There are pockets right now in development, in logistics, and in fabrication already well under way that we are going to both capitalize on, and hopefully raise the bar for the industry overall. Because if we do this properly, in the electronics industry we all use the vast majority of a similar set of supply-chain partners.

What that will do is raise the bar for the customers and allow those of us who are innovators to differentiate on our innovation and on how we might achieve the best practices, rather than worrying about are you trustworthy or not. If we do it right, trust will be an automatic given.

Gardner: I have to imagine that going out to the market with the ability to assert that level of trust is a very good position in terms of marketing and competitive analysis. So this isn’t really something that goes on without a lot of commercial benefits associated with it, when it’s done properly. Any reaction to that Andras in terms of companies that do this well? I guess they should feel that they have an advantage in the market.

Secure by Design

Szakal: Especially now in this day and age, any time that you actually approach security as part of the lifecycle -- what we call an IBM Secure by Design -- you're going to be ahead of the market in some ways. You're going to be in a better place. All of these best practices that we’ve defined are additive in effect. However, the very nature of technology as it exists today is that it will be probably another 50 or so years, before we see a perfect security paradigm in the way that we all think about it.

So the researchers are going to be ahead of all of the providers in many ways in identifying security flaws and helping us to remediate those practices. That’s part of what we're doing here, trying to make sure that we continue to keep these practices up to date and relevant to the entire lifecycle of commercial off-the-shelf technology (COTS) development.

So that’s important, but you also have to be realistic about the best practices as they exist today. The bar is going to move as we address future challenges.

Gardner: I'm afraid we have to leave it there. We’ve been talking about making global supply chains for technology providers more secure, verified, and therefore, trusted. We’ve been learning about the achievements of OTTF and how technology suppliers and buyers will expect to benefit from that moving forward.

You also have to be realistic about the best practices as they exist today. The bar is going to move as we address future challenges.

This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference from July 16 - 20 in Washington, D.C. You’ll hear more from these and other experts on the ways that IT and enterprise architecture support any enterprise transformation as well as how global supply chains are being better secured.

I’d like to thank our panel for this very interesting discussion. We’ve been here with Dave Lounsbury, Chief Technical Officer at The Open Group. Thanks, Dave.

Gardner: Yes, and I’ll look forward to all of your presentations and discussions in Washington as well. I encourage our readers and listeners to attend the conference and learn even more. Some of the proceedings will be online and available for streaming, and you could take advantage of that as well.

This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator through these thought leadership interviews. Thanks again for listening, and come back next time.

Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make IT supply chains secure, verified, and trusted. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2012. All rights reserved.